Skip to content

Commit

Permalink
Updates
Browse files Browse the repository at this point in the history
  • Loading branch information
hectorcast-db committed Oct 29, 2024
1 parent b5c9ded commit 273ec5f
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 11 deletions.
71 changes: 62 additions & 9 deletions .github/workflows/external-message.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,27 +11,79 @@ on:
branches:
- main

pull_request:
types: [opened, reopened, synchronize]



jobs:
comment-on-pr:
runs-on: ubuntu-latest
permissions:
pull-requests: write

steps:
- name: Check if external contribution
id: check_fork
# NOTE: This is not 100% accurate, but it should work for most cases.
- name: Check user and potential secret access
id: check-secrets-access
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
echo "is_fork=true" >> $GITHUB_OUTPUT
USER_LOGIN="${{ github.event.pull_request.user.login }}"
REPO_OWNER="${{ github.repository_owner }}"
REPO_NAME="${{ github.event.repository.name }}"
echo "Pull request opened by: $USER_LOGIN"
# Check if PR is from a fork
IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
HAS_ACCESS="false"
# Check user's permission level on the repository
USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
HAS_ACCESS="true"
elif [[ "$USER_PERMISSION" == "read" ]]; then
# For read access, we need to check if the user has been explicitly granted secret access
# This information is not directly available via API, so we'll make an assumption
# that read access does not imply secret access
HAS_ACCESS="false"
fi
# Check if repo owner is an organization
IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
# Check if user is a member of any team with write or admin access to the repo
TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
for team in $TEAMS_WITH_ACCESS; do
IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
HAS_ACCESS="true"
break
fi
done
fi
# If it's a fork, set HAS_ACCESS to false regardless of other checks
if [[ "$IS_FORK" == "true" ]]; then
HAS_ACCESS="false"
fi
echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
if [[ "$HAS_ACCESS" == "true" ]]; then
echo "User $USER_LOGIN likely has access to secrets"
else
echo "is_fork=false" >> $GITHUB_OUTPUT
echo "User $USER_LOGIN likely does not have access to secrets"
fi
- uses: actions/checkout@v4

- name: Delete old comments
if: steps.check_fork.outputs.is_fork == 'true'
if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
Expand All @@ -48,18 +100,19 @@ jobs:
fi
- name: Comment on PR
if: steps.check_fork.outputs.is_fork == 'true'
if: steps.check-secrets-access.outputs.is_fork != 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
run: |
gh pr comment ${{ github.event.pull_request.number }} --body \
"<!-- INTEGRATION_TESTS -->
Run integration tests manually:
[go/deco-tests-run/sdk-go](https://go/deco-tests-run/sdk-go)
Inputs:
PR Number:${{github.event.pull_request.number}}
Commit SHA:${{ github.event.pull_request.head.sha }}
* PR number: ${{github.event.pull_request.number}}
* Commit SHA: \`${{ env.COMMIT_SHA }}\`
Checks will be approved automatically on success.
"
21 changes: 19 additions & 2 deletions .github/workflows/integration-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,28 @@ on:


jobs:
# Secrets are not available for forks.
check-token:
name: Check secrets access
runs-on: ubuntu-latest
outputs:
has_token: ${{ steps.set-token-status.outputs.has_token }}
steps:
- name: Check if GITHUB_TOKEN is set
id: set-token-status
run: |
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
echo "GITHUB_TOKEN is empty. User has no access to tokens."
echo "::set-output name=has_token::true"
else
echo "GITHUB_TOKEN is set. User has no access to tokens."
echo "::set-output name=has_token::false"
fi
trigger-tests:
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
name: Trigger Tests
runs-on: ubuntu-latest
needs: check-token
if: github.event_name == 'pull_request' && needs.check-token.outputs.has_token == 'true'
environment: "test-trigger-is"

steps:
Expand Down

0 comments on commit 273ec5f

Please sign in to comment.